3

When someone open the sessions using Winscp its session is not showing in Linux when I run who or last commands. I thought that it will appear because it is using ssh to connect. But still there are no records. It could prove to be a security issue.

I mean if a user logs in and delete some file and there is no record of it. How are we going to trace it?

slm
  • 369,824
OmiPenguin
  • 4,308

1 Answers1

3

who and last only show if you're logged in. When you're using scp you're technically not logged in, since your shell on the remote side was not spawned as such.

To trace such things you'd need to utilize process accounting, a package called psacct can provide you with the level of logging if that's what you're after. Also the logging via SSH can be augmented to show you some of these details if that's what you want.

The commands who and last are not intended for that purpose.

last & who

This terminology always confuses people since they associate a connection with being logged in, but they are 2 very different states. When you access a web server you're consuming a remote system's resources without being logged in. That's essentially what you have going on when you're performing an scp.

excerpts from last & who man pages

last

last, lastb - show a listing of last logged in users

who

who - show who is logged on

Example

Here I've logged into a server using SFTP, yet who and last are oblivious.

$ ps auxf | less
...
root      3376  0.0  0.0   7212  1040 ?        Ss   Sep10   0:00 /usr/sbin/sshd
root     29066  0.0  0.0  10108  3004 ?        Ss   09:44   0:00  \_ sshd: sam [priv] 
sam      29071  0.0  0.0  10240  1836 ?        S    09:44   0:00  |   \_ sshd: sam@notty  
sam      29072  0.1  0.0   6708  1740 ?        Ss   09:44   0:00  |       \_ /usr/libexec/openssh/sftp-server
root     29202  0.1  0.0  10084  3052 ?        Ss   09:44   0:00  \_ sshd: root@pts/0 
root     29204  0.6  0.0   6268  3052 pts/0    Ss   09:44   0:00      \_ -bash
root     29255  0.0  0.0   4624  1108 pts/0    R+   09:45   0:00          \_ ps auxf
root     29256  0.0  0.0   4288   760 pts/0    S+   09:45   0:00          \_ less

Since I have no shell that was executed as a login shell, I'm technically not logged in. When I ssh to the system as root, as shown above, I do have a shell, bash.

The output of who -a bears this out:

$ who -a
                        2014-09-10 05:15               398 id=si    term=0 exit=0
           system boot  2014-09-10 05:15
           run-level 5  2014-09-10 05:15                   last=S
                        2014-09-10 05:16              2307 id=l5    term=0 exit=0
LOGIN      tty1         2014-09-10 05:16              3785 id=1
LOGIN      tty2         2014-09-10 05:16              3786 id=2
LOGIN      tty3         2014-09-10 05:16              3787 id=3
LOGIN      tty4         2014-09-10 05:16              3788 id=4
LOGIN      tty5         2014-09-10 05:16              3792 id=5
                        2014-09-10 05:16              3794 id=6
                        2014-09-10 05:16              3799 id=x
root     + pts/0        2014-09-25 09:51   .         29300 (mulder.mydom.net)
           pts/1        2014-09-24 16:36             20324 id=ts/1  term=0 exit=0
           pts/1        2014-09-12 02:40             27603 id=/1    term=0 exit=0
           pts/2        2014-09-12 03:21             27820 id=ts/2  term=0 exit=0

Notice there is no reference to the user, sam, with the SFTP connection. If you want to determine if a shell's interactive or not take a look at this U&L Q&A titled: How to check if a shell is login/interactive/batch.

Community
  • 1
slm
  • 369,824
  • Yes i confused Logged in with a SSH connection. You explained very well. Ok I will read the links you shared.

    Thanks

     – OmiPenguin Sep 25 '14 at 13:53